Access Control
Lab:~# User ID controlled by request parameter with data leakage in redirect
Guys 👋 welcome back! Here is another write-up on a web security academy lab. This lab contains an access control vulnerability where sensitive information is leaked in the body of a redirect response. Let’s get started and exploit it.
End Goals :~#
- Solve the lab, obtain the API key for the user carlos and submit it as the solution.
- You can log in to your own account using the following credentials: wiener:peter
Testing For Vulnerabilities:
- In some cases, an application detects when the user is not permitted to access the resource and returns a redirect to the login page.
- Log in using the supplied credentials to access your account page, and then let’s send the request to reapter.
- Modify the value of the ‘id’ parameter to ‘carlos’ and send it. Carefully observe the response: it now redirects you to the homepage, but the body contains the API key belonging to Carlos.
- Copy the API key and submit. We solve the lab easily, right 😂
That’s all, friends. Thank you for reading up to this point. I would like to hear your feedback on anything not clear here. Here is my Twitter account @T3chnocr4t. Feel free to DM me if you have any issues with my write-up. Thanks!